Built-in Security

OWASP-aligned protections enabled by default. Secure your applications without extra configuration.

Security by Default

Oorian includes comprehensive security features that protect your application out of the box.

CSRF Protection

Built-in Cross-Site Request Forgery protection for all communications. Enabled by default.

Auto-Escaping Output

HTML content is escaped by default, preventing XSS attacks with zero developer effort.

Security Headers

HSTS, X-Content-Type-Options, X-Frame-Options, and more configured centrally.

Secure Cookies

HttpOnly, Secure, and SameSite attributes set by default on session cookies.

Rate Limiting

Built-in throttling for events and requests per session to prevent abuse.

Input Sanitization

Utility methods for sanitizing user input to prevent injection attacks.

XSS Prevention

Cross-Site Scripting (XSS) attacks are prevented automatically through output encoding.

Automatic HTML Escaping

java

// User input is automatically escaped
String userInput = "<script>alert('xss')</script>";

Div message = new Div();
message.setText(userInput);
// Renders as: &lt;script&gt;alert('xss')&lt;/script&gt;

// Use setRawHtml() only for trusted content
message.setRawHtml(trustedHtml);

Input Sanitization Utilities

java

// Sanitize user-provided content
String safe = Sanitizer.html(userInput);
String safeUrl = Sanitizer.url(userUrl);
String safeSql = Sanitizer.sqlIdentifier(column);

// Strip all HTML tags
String plainText = Sanitizer.stripTags(htmlContent);

// Allow only specific tags
String limited = Sanitizer.allowTags(html, "b", "i", "a");

WebSocket Security

Oorian's WebSocket-based architecture includes specialized security measures.

Origin Validation

WebSocket connections validate the Origin header to prevent cross-site hijacking. Configure allowed origins at the application level with support for wildcard subdomains.

Message Size Limits

Configurable maximum message sizes prevent memory exhaustion attacks. Sensible defaults protect your application while allowing customization for specific needs.

Connection Limits

Prevent resource exhaustion by limiting connections per user and per IP address. Protects against denial-of-service attacks from both authenticated and anonymous users.

Rate Limiting

Built-in throttling tracks events per time window to prevent abuse. Configure limits at the application level with per-page overrides for sensitive operations.

Configuration Example

java

// In your Application class
@Override
protected void initialize()
{
    // WebSocket origin validation
    setAllowedOrigins("https://myapp.com", "https://*.myapp.com");

    // Connection limits
    setMaxConnectionsPerUser(10);
    setMaxConnectionsPerIP(50);

    // Rate limiting (requests per minute)
    setDefaultRateLimit(100, Duration.ofMinutes(1));

    // Message size (bytes)
    setMaxWebSocketMessageSize(1_000_000);
}

Access Control

Declarative security annotations integrate naturally with Oorian's page architecture.

Page-Level Security Annotations

java

@Page("/admin/users")
@RequiresAuth
@RequiresRole("ADMIN")
public class UserManagementPage extends HtmlPage
{
    // Only authenticated admins can access
}

@Page("/settings")
@RequiresAuth
@RequiresPermission("settings:edit")
public class SettingsPage extends HtmlPage
{
    // Fine-grained permission check
}

Session Timeout Configuration

java

// Application-level defaults
setDefaultIdleTimeout(Duration.ofMinutes(30));
setDefaultAbsoluteTimeout(Duration.ofHours(8));

// Sensitive pages can override
@Page("/banking/transfer")
@SessionTimeout(idle = 5, unit = TimeUnit.MINUTES)
public class TransferPage extends HtmlPage
{
    // Shorter timeout for sensitive operations
}

Input Validation Framework

Annotation-based validation integrates with form handling for type-safe, declarative validation.

java

public void onFormSubmit(FormEvent event)
{
    ValidationResult result = Validator.validate(event.getParameters())
        .field("email").notEmpty().email()
        .field("password").notEmpty().minLength(8)
        .field("age").range(18, 120)
        .field("phone").pattern("\\d{3}-\\d{3}-\\d{4}")
        .check();

    if (!result.isValid())
    {
        showErrors(result.getErrors());
        return;
    }

    // Process valid input
}

OWASP Top 10 Coverage

Oorian's security features align with the OWASP Top 10 vulnerabilities.

A01Broken Access Control

Page-level security annotations, session management

A02Cryptographic Failures

Secure cookie defaults (HttpOnly, Secure, SameSite)

A03Injection

Auto-escaping output, input sanitization, validation framework

A04Insecure Design

Rate limiting, message size limits, session timeouts

A05Security Misconfiguration

Security headers middleware, secure defaults

A07Auth Failures

CSRF protection, origin validation